Scribd
Upload
437 views21 pages

VRFing 101, Understing VRF Basics - PacketU PDF

- Virtual Routing and Forwarding (VRF) allows routers to maintain multiple isolated routing tables. Each VRF instance acts as a separate routing domain. - The document discusses configuring two VRF instances ("red" and "blue") on a router to provide isolation between two tenants accessing the same default gateway IP. Subinterfaces are assigned to each VRF and loopback interfaces are also added. - Connectivity testing shows that each tenant can only access resources in its own VRF domain, demonstrating the isolation provided by VRF.

Uploaded by

TedCasas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
437 views21 pages

VRFing 101, Understing VRF Basics - PacketU PDF

- Virtual Routing and Forwarding (VRF) allows routers to maintain multiple isolated routing tables. Each VRF instance acts as a separate routing domain. - The document discusses configuring two VRF instances ("red" and "blue") on a router to provide isolation between two tenants accessing the same default gateway IP. Subinterfaces are assigned to each VRF and loopback interfaces are also added. - Connectivity testing shows that each tenant can only access resources in its own VRF domain, demonstrating the isolation provided by VRF.

Uploaded by

TedCasas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

PacketU
What'sonyourwire[s]?

VRFing101,UnderstingVRFBasics
PostedonJuly12,2012byPaulStewart,CCIE26009(Security)

WhenmostengineersthinkaboutVRF,[Link],shortforVirtualRoutingandForwarding,is
[Link]
completely forget about MPLS and look at what this does to a single IOS based router. This article is very
simplifiedVRF101.
[Link],somepeoplesimplycalltheseveeareeffs.
Otherpronouncethemasverforverfs(rhymingwithsurf).Icatchmyselfbeingconsistentlyinconsistentand
pronouncing them both ways. Unless you are my eight grade grammar teacher, what VRFs do for us is more
[Link]?Howdoesitchangethebehaviorofarouter?What
doesabasicconfigurationlooklike?Thesearethetypesofquestionsthatwewillanswerinthisarticle.
[Link]
isolation is thought of as a VMWare guest instance. I like to think VRFs as similar to VLANS, but at layer 3.
VLANsareobviouslyalayertwotopic,[Link],thereis
aneedtogothroughadevicethathasaccesstobothVLANs.VRFscreatethesametypeofisolationatlayer3.
Howeverthewaythatwejumpbetweenareasofisolationisalittledifferent.
So what are we isolating? The answer to that question is key to understanding the effect of VRF instances in a
[Link]

1/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

router. Lets go back to some routing fundamentals. Routers cannot typically share an IP subnet on multiple
[Link],butthegeneralusecaseisthatanIP
[Link]
IPaddressonmultipleinterfaces.

R1(configif)#intloop1
R1(configif)#ipaddress192.168.1.1255.255.255.0
//let'strytoputthesameaddressonloopback2
R1(configif)#intloop2
R1(configif)#ipaddress
R1(configif)#ipaddress192.168.1.1255.255.255.0
%192.168.1.0overlapswithLoopback1

What if I had a multitenant environment and really needed to configure two interfaces with [Link]. It
[Link].
VRF,whenusedinsideasinglerouter,[Link]
[Link]
[Link],wellseeaseparatecommandthatwillshowusthe
routes inside a VRF instance. By creating multiple route tables, we overcome the restrictions of multiple
[Link].

KeyConceptEachVRFinstanceisaseparateroutetable.
TheChallenge
[Link]

2/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

[Link]
loopbackonR1.R2andR3donotneedtoaccessoneanother.BothR2andR3mustuse192.168.1.1asa
defaultgateway.R2andR3mustbeinseparateVLANs.

[Link],Ibelievewe
[Link].
[Link]

3/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

VRFconfigurationisfairlystraightforward,soletsgoaheadandgetstarted.

//createthetwoVRFs
[Link]

4/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

R1(config)#ipvrfred
R1(config)#ipvrfblue
//createeachsubinterfaceandplacethemintotheappropriateVRF
//noticethatweconfiguretheIPaddressafterconfiguringtheVRF
//otherwisetherouterwillremovetheIPaddress
R1(configsubif)#intfa0/0.10
R1(configsubif)#encapsulationdot1Q10
R1(configsubif)#ipvrfforwardingred
R1(configsubif)#ipaddress192.168.1.1255.255.255.0
R1(configsubif)#intfa0/0.20
R1(configsubif)#encapsulationdot1Q20
R1(configsubif)#ipvrfforwardingblue
R1(configsubif)#ipaddress192.168.1.1255.255.255.0
//noticethattherouteracceptedthesameIPaddressonbothinterfaces
//thisisbecausetheyareinseparateVRFinstances

NowletstestourreachabilitytoR2andR3.

//noticewenowhavetoclueR1intothefactthatwewant
//touseaVRFasopposedtotheglobalroutingtable.
//pingR2
R1#pingvrfred192.168.1.2
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto192.168.1.2,timeoutis2seconds:
!!!!!
[Link]

5/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

Successrateis100percent(5/5),roundtripmin/avg/max=1/2/4ms
//pingR3
R1#pingvrfblue192.168.1.2
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto192.168.1.2,timeoutis2seconds:
!!!!!
Successrateis100percent(5/5),roundtripmin/avg/max=1/1/4ms
R1#

Even though [Link] is directly connected to Fa0/0.10 and Fa0/0.20, it does not show up with a show ip
[Link],showiprouteshowstheglobalroutingtable.

R1#showiproute
Codes:Cconnected,Sstatic,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
E1OSPFexternaltype1,E2OSPFexternaltype2
iISIS,suISISsummary,L1ISISlevel1,L2ISISlevel2
iaISISinterarea,*candidatedefault,Uperuserstaticroute
oODR,Pperiodicdownloadedstaticroute
Gatewayoflastresortisnotset
R1#

ToseetheroutesassociatedwithaVRF,wehavetoaddthevrfvrfnameparameter.

[Link]

6/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

R1#showiproutevrfred
RoutingTable:red
Codes:Cconnected,Sstatic,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
E1OSPFexternaltype1,E2OSPFexternaltype2
iISIS,suISISsummary,L1ISISlevel1,L2ISISlevel2
iaISISinterarea,*candidatedefault,Uperuserstaticroute
oODR,Pperiodicdownloadedstaticroute
Gatewayoflastresortisnotset
C192.168.1.0/24isdirectlyconnected,FastEthernet0/0.10
R1#showiproutevrfblue
RoutingTable:blue
Codes:Cconnected,Sstatic,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
E1OSPFexternaltype1,E2OSPFexternaltype2
iISIS,suISISsummary,L1ISISlevel1,L2ISISlevel2
iaISISinterarea,*candidatedefault,Uperuserstaticroute
oODR,Pperiodicdownloadedstaticroute
Gatewayoflastresortisnotset
C192.168.1.0/24isdirectlyconnected,FastEthernet0/0.20
R1#

NowletsaddourloopbackinterfacesintotheappropriateVRFs.
[Link]

7/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

R1(config)#intloop10
R1(configif)$ipvrfforwardingred
R1(configif)#ipaddress10.10.10.10255.255.255.0
R1(configif)#intloop20
R1(configif)$ipvrfforwardingblue
R1(configif)#ipaddress20.20.20.20255.255.255.0
R1(configif)#exit

Finally,[Link],[Link]
inthislabwedoandcanthereforusethemtoconfirmthefunctionality.
R2(shouldbeabletoreach10.10.10.10,butnot20.20.20.20)

R2(config)#doping10.10.10.10
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto10.10.10.10,timeoutis2seconds:
!!!!!
Successrateis100percent(5/5),roundtripmin/avg/max=1/2/4ms
R2(config)#doping20.20.20.20
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto20.20.20.20,timeoutis2seconds:
U.U.U
Successrateis0percent(0/5)

R3(shouldnotbeabletoreach10.10.10.10,butshouldhaveaccessto20.20.20.20)

[Link]

8/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

R3(config)#doping10.10.10.10
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto10.10.10.10,timeoutis2seconds:
U.U.U
Successrateis0percent(0/5)
R3(config)#doping20.20.20.20
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto20.20.20.20,timeoutis2seconds:
!!!!!
Successrateis100percent(5/5),roundtripmin/avg/max=1/2/4ms
R3(config)#

Whilesolvingourchallenge,[Link]
afoundationalbuildingblockthathasgivennetworkdesignersgreatflexibilitywhendesigningMPLSnetworks.
Infuturearticles,wewillbuildonthisexampleanddemonstratemethodsforjumpingbetweenVRFsandutilizing
NATinamultitenantenvironment.

MigratingServers?
PlanDataorFullServerMigrationsWithOurNearZeroDowntimeGuide

Readersofthisarticlemayalsoenjoy:
1. VRFing102,ProvidingInternetAccessWithDynamicPAT
2. VRFing103,UsingNATVirtualInterfacesforGlobalReachability
3. TheOperationofProxyArp
4. MultipleProtocolsoverIPSec
[Link]

9/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

5. CombiningGREandIPSecwithaFrontSideVRF
[Link]/MbJpGb

COPY

SpreadtheWord:

Pocket

Twitter

Facebook

LinkedIn

Google

More

AboutPaulStewart,CCIE26009(Security)
PaulisaNetworkandSecurityEngineer,TrainerandBloggerwhoenjoysunderstandinghowthingsreallywork.Withover15
yearsofexperienceinthetechnologyindustry,Paulhashelpedmanyorganizationsbuild,maintainandsecuretheirnetworks
andsystems.
ViewallpostsbyPaulStewart,CCIE26009(Security)

ThisentrywaspostedinNetwork,Technologyandtaggedmpls,network,[Link].

34ResponsestoVRFing101,UnderstingVRFBasics
RogerStewartsays:
July12,2012at11:19AM

Thislooksinteresting.
Reply

Bashirsays:
July14,2012at3:25AM

[Link]

10/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

Greatpostfornewbie..
thanks
Reply

ElvinAriassays:
July15,2012at6:31PM

Thanksforthearticle.
Elvin
Reply

AbhishekSagarsays:
November4,2012at5:51AM

whatisthepurposeofloopbackinterfaces,andhowdoestheauthormakethisclaimR2(shouldbeabletoreach
[Link],butnot20.20.20.20)??plshelp,iamabeginner.
Reply

PaulStewartsays:
November4,2012at8:42AM

Theloopbackinterfaces,inthisexample,[Link]
[Link].ThereasonthatR2canreachonenetworkand
[Link],butevidencedbythe
[Link].
Reply

[Link]

11/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

Kuleazesays:
March6,2013at4:37PM

InthenextcomingweeksIhavetosetupaVRFinstanceinoneofournewlocationsinChicago,thishashelpedlayagood
[Link]!!
Reply

Pingback:CiscoVRF/MPBGPRouteronaStickwithNAT|TheNetworkHobo

Santoshsays:
February24,2014at6:56AM

HI,
Iamconfused,whytheauthortalksaboutVLANhere.
[Link]???
Reply

Sensiesays:
December25,2014at4:53PM

Hi
theVLANsisSeparatesthetrafficonlayer2ontheswitch,otherwisetherouterswillbeabletotalktoeachotheron
layer2basedandthisexamplewillnotworkcorrectly.
VRFisveryimportantandthisisjustthebasicbutitsExcellentDescription.
Reply

Rahulsays:
[Link]

12/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

March6,2014at7:59AM

verynicearticlethanks.
Reply

GowthamBalachandhiransays:
May16,2014at3:45AM

[Link]
[Link]
[Link].
Reply

PaulStewart,CCIE26009(Security)says:
May16,2014at4:08AM

[Link]
[Link],thatissortofanunderlyingtechnologythatcouldimpacttheresultsbutnotchangetheconcepts
beingdemonstratedhere.
Reply

GowthamBalachandhiransays:
May16,2014at5:37AM

ThisishowmytopologywillapearonevrfperonesubinterfacetwocustomersareusingthesameCEwithonesubinterface
[Link]
Reply
[Link]

13/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

PaulStewart,CCIE26009(Security)says:
May16,2014at1:36PM

[Link],you
[Link](thatispossiblynot
underyourcontrol)?
Reply

vadanmehtasays:
June26,2014at3:07PM

HIpaul.
Thankyouverymuchforthisinformation.
Ihaveonebasicquestion:
DoesOneVRFpointstoonePublicIPaddress!!andMultiVRFcapabilitymeansOnePublicIPaddresssharedbymanyVRF
instances??
regds
Vadan
Reply

PaulStewart,CCIE26009(Security)says:
June26,2014at6:18PM

Ivenottriedthat,[Link].
[Link],itisusingapoolpervrf.

[Link]

14/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

[Link]
Reply

madim2013says:
August5,2014at6:09PM

HelloPaul,
FantascipostandiseeyournamealsoontheCiscocommunity.
[Link].
Hopethebelowisclear::)
(icannotpostadiagramsohopethisissufficent:)
HostA>||
|ALAYER2
ACcESSsW|trunkpassingVLANA+VLANBtoDISTSWTICH
HostB>||
theDISTSWitchwillhaveaVRFforVLANAonly
HostAshouldnotpingHostB
HostAshouldpingthedefaultgateway,Alayer3SVIplacedinaVRFofthelaye3swtich
HostAhasadedicatedvlanAintheaccessswtichandlayer3distswtichVlandatabase

[Link]

15/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

HostBshouldnotpingHostA
HostBshouldpingthedefaultgateway,Alayer3SVInotinanyVRFofthelaye3swtich
HostBhasadedicatedvlanBintheaccessswtichandlayer3distswtichVlandatabase
Basically,HostBispartofthecorporatenetworkandrequirestoaccessfarmorenetworkthenHostAneedtodo.(Thinkof
hostAbeinga3rdPartyorGuestLAN)
[Link](theVRFone)and
placeitintotheVRFA
whichispartoftheSVIforVLANA?
Manythanksinadvance
BestWishes
Markus
Reply

madim2013says:
August5,2014at6:11PM

Sorrytheabove(attemtped)diagramdidnotcomeoutthatwell,
Basically,hostAandhostBareattachedtothesamelayer2accessswitch
eachaccesportisconfiguredwiththebasicswtichportmode/accessvlanetc
manythanksagain
Bestwishes
[Link]

16/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

markus
Reply

PaulStewart,CCIE26009(Security)says:
August5,2014at9:03PM

[Link]
[Link](nativeuntaggedandallother
tagged).Soyourscenario,properlyconfigured,cangiveisolationbetweenhostAandhostBeventhoughtheyare
connectedtotheaccessswitch.
Reply

NyanLinSoesays:
November24,2014at5:37AM

[Link].
Reply

ClaytonMeyersays:
November24,2014at12:51PM

Thisisagreat,[Link]!
Reply

ShaneTaylorsays:
January28,2015at11:06AM

[Link]

17/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

[Link].IforgotthatR2/R3donotknowaboutthe
10or20subnetssoIeitherhadtojustaddastaticrouteonbothorrunaroutingprotocol.
Reply

[Link]:
March14,2015at10:47AM

HeyPaul,
Veryhelpful,niceandprecisepost
Itmadebasicunderstandveryclear.
Unlessbasicisclearmovingfurtheristrouble.
Youmadeitverywell,thanksagain.
BestRegards
Sushim
Reply

[Link]:
March23,2015at4:46PM

ExcellentintrotoVRFsandmoreimportantwhyweusethem!!
Reply

Pingback:VRFVirtualRoutingandForwarding|

SushantaMishrasays:
May15,2015at6:48AM
[Link]

18/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

[Link],whyMPLSissupportedinthelocalvrfonly?
Reply

khansays:
August24,2015at5:30AM

Greateplanation
Reply

Bernardsays:
September2,2015at2:59AM

HiPaul,
Greatexplanation
Ihaveasmallquestion,attheendyouarepingingfromR3>R1sloopback20.
howthepingisworking?(isthereanystaticrouteonR3for20.20.20.20vianexthop192.168.1.1?)
OrbecausetheyareinthesameVRFinstancetheyseeeachothers?
Regards,
Reply

PaulStewart,CCIE26009(Security)says:
September2,2015at2:10PM

[Link]
[Link]

[Link]

19/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

[Link]
Sorryfortheconfusion.
Reply

Devnarayansays:
October1,2015at7:08AM

HiPaul,
pleasehelp,[Link]
[Link]
[Link]
Reply

Devnarayansays:
October5,2015at12:57AM

HiPaul,ifpossiblecanyoupleasehelpmeinthiscase
Reply

PaulStewart,CCIE26009(Security)says:
October5,2015at7:39AM

[Link]
needstobesomeplanningaroundIPaddressing(doyouhaveyourownaddressspaceandASN),NAT
(wheredoesthatterminate),Checkpointcapabilities(aretheyA/Sorclustered,dotheycommunicatestate,
canIGPsand/orBGPterminateontheFWorgothroughit),whatispositionedupstreamandwhathadthe
memorytotakeBGPtableifrequired?Thereisalotinthisquestion,butVRFwouldnttypicallybea
[Link]

20/21

5/10/2015

VRFing101,UnderstingVRFBasicsPacketU

requirement.

Kevynjrsays:
October3,2015at12:46PM

Morestuffvrfplease
Reply

PaulStewart,CCIE26009(Security)says:
October4,2015at10:28AM

[Link]
FirePOWER,AMP,ISEandVRFs(andhowtheyworkwithNexusVDCsandASAcontexts).AsIfindtime,Illtryto
postsomemoreofwhatyouarerequesting.
Reply

PacketU
ProudlypoweredbyWordPress.

[Link]

21/21

You might also like